A9. Access Control
- Is physical and logical user access to audit logs restricted to authorized personnel?
- Do you require a periodical authorization and validation (e.g. at least annually) of the entitlements for all system users and administrators (exclusive of users maintained by your tenants), based on the rule of least privilege?
- Are controls in place to prevent unauthorized access to tenant application, program, or object source code, and assure it is restricted to authorized personnel only?
- Do you have controls in place ensuring timely removal of systems access that is no longer required for business purposes?
- Do you have a written policy for user changes (joiners, movers, leavers) to be handled?
- Are you disabling access rights immediately after the end of employment?
- Do you have a written password management policy?
- Do you allow remote access?
- Do you use generic accounts to acces the servers and applications for administrator purposes?
- Do you allow multiple employees to use the same login?
- Is access role based depending on the employee's function?
- Do you monitor and review access attempts?
- Are factory default account details been changed?
- Do you have an identity and access management policy in place?